CVE-2025-2505: 
WordPress vulnerability analysis and mitigation

The Age Gate plugin for WordPress contains a critical Local PHP File Inclusion vulnerability (CVE-2025-2505) discovered in all versions up to and including 3.5.3. The vulnerability was disclosed on March 20, 2025, affecting over 40,000 WordPress websites. This security flaw allows unauthenticated attackers to include and execute arbitrary PHP files on the server through the 'lang' parameter (NVD, SecurityOnline).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). The vulnerability exists in the plugin's handling of the 'lang' parameter, which fails to properly validate file paths, allowing attackers to include and execute arbitrary PHP files on the server (NVD).

The vulnerability can lead to severe consequences including bypass of access controls, extraction of sensitive data, and potential code execution when attackers can upload and include files that appear safe (like images). In cases where file upload capabilities exist, attackers could achieve full server compromise by establishing persistent backdoors and exploiting web server configuration weaknesses to escalate privileges (SecurityOnline).

The developers have released a patched version (3.5.4) that resolves the security flaw. Website administrators and WordPress users are strongly urged to update their Age Gate plugin immediately to mitigate the risk (SecurityOnline).